Social networking has become more popular from last few decades for users to meet and interact online. Users spend their significant amount of time to share their personal information on social networking sites such as Gmail, Twitter, Facebook etc. Password provides reliable security and protection against unwanted access to resources to the social network platform. Password security like textual password or graphical password is not convenient to the users who forget their passwords. To overcome the drawback of these authenticators, a backup authentication mechanism is taken into consideration. Backup authentication mechanism helps the users to regain their passwords. Recently, a new backup authentication mechanism called as trustee based social authentication has shown promising results. In this authentication method, every user depends on multiple trustees for backup mechanism. So hacking of one user’s profile affects many numbers of users. This is called as “Forest Fire attack” In this paper, the concept is on the trustee based social authentication in which users select trustees and recover their account via verification mails. The security mails generated by the system gives more secured trustee based authentication system.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Authentication from Forest Fire Attacks using Trustee Based System Anwaya Patil1, Kalpana Thakare2, Kishor Sadafale3
1 Student, Information Technology, Sinhgad College of Engineering, Pune, Maharashtra, India 2 Associate Professor, Information Technology, Sinhgad College of Engineering, Pune, Maharashtra, India 3 Assistant Professor, Information Technology, Sinhgad College of Engineering, Pune, Maharashtra, India
---------------------------------------------------------------------***---------------------------------------------------------------------Abstract - Social networking has become more
popular from last few decades for users to meet and
interact online. Users spend their significant amount
of time to share their personal information on social
networking sites such as Gmail, Twitter, Facebook etc.
Password provides reliable security and protection
against unwanted access to resources to the social
network platform. Password security like textual
password or graphical password is not convenient to
the users who forget their passwords. To overcome
the drawback of these authenticators, a backup
authentication mechanism is taken into
consideration. Backup authentication mechanism
helps the users to regain their passwords. Recently, a
new backup authentication mechanism called as
trustee based social authentication has shown
promising results. In this authentication method,
every user depends on multiple trustees for backup
mechanism. So hacking of one user’s profile affects
many numbers of users. This is called as “Forest Fire
attack” In this paper, the concept is on the trustee
based social authentication in which users select
trustees and recover their account via verification
mails. The security mails generated by the system
gives more secured trustee based authentication
system.
Keywords—Authentication methods, Social
Authentication, Backup Authentication Mechanism,
Trustee based authentication
1. INTRODUCTION
Authentication has become most important means
for an organization to provide accuracy and reliable
security against recent events of thefts and terrorism [1].
The authentication methods is classified into three broad
categories namely token based (two factor), biometric
based (three factor) and knowledge based(single factor)
authentication [2].
Fig. 1 Classification of Authentication Methods
A. Token Based Authentication
It is based on something you possess, for example Smart Cards, a driver’s license, credit card, a university ID card etc. It allows users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site [3]. Many token based authentication systems also use knowledge based techniques to enhance security [2].
B. Biometric Based Authentication
In ancient Greek Biometrics bios="life" and metron ="measure" is the study of automated methods for uniquely recognizing humans, based upon one or more intrinsic physical or behavioral traits [4]. A biometric scanning device takes a user's biometric data, such as an iris pattern or fingerprint scan, and converts it into digital information a computer can interpret and verify. A biometric-based authentication system may deploy one or more of the biometric technologies: voice recognition, fingerprints, face recognition, iris scan, infrared facial and hand vein thermo grams, retinal scan, hand and finger geometry, signature, gait, and keystroke dynamics [6]. Biometric identification depends on computer algorithms to make a yes/no decision. It enhances user service by providing quick and easy identification [7].
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Knowledge based techniques are the most extensively used authentication techniques and include both text based and picture based passwords [2]. Knowledge-based authentication (KBA) is based on something you know to identify you For example a Personal Identification Number (PIN), password or pass phrase. It is an authentication scheme in which the user is asked to answer at least one "secret" question [8]. KBA is often used as a component in multifactor authentication (MFA) and for self-service password retrieval. Knowledge based authentication (KBA) offers several advantages to traditional (conventional) forms of e-authentication like passwords, PKI and biometrics [9].
2. LITERATURE REVIEW
From last few years, the major problem in the
society is to protect the system from malicious attacks.
To secure the system is to be reliable for the users.
Passwords are the secret between the user and verifier.
But these passwords are hacked by the attackers to steal
the personal and professional information. There are
several different techniques with various algorithm
implemented with high feature. Authentication is simple
but to protect the system is one of the tough jobs.
Several authentication systems with different techniques and methods that exist in the literature are discussed in this section which helps the user to secure their account from the malicious attacks.
1. Textual password:
The most common method to secure the account is
textual authentication method which uses
alphanumerical usernames and passwords. The main
drawback to use these alphanumeric passwords is that
they are hard to remember.
2. Graphical Password:
Graphical password is a technique used to overcome the drawbacks of textual password. Graphical passwords can be used against dictionary attacks, social engineering, eves dropping etc. The main disadvantage of graphical password is that they are vulnerable to shoulder surfing.
3. Session Password:
Textual passwords and graphical passwords are vulnerable to various attacks like shoulder surfing, dictionary attacks, eves dropping etc. Both these techniques have their own drawbacks. Passwords are complicated to remember. The solution to this problem is session password which is a combination of both the textual password and graphical password.
4. Multitouch Gesture Based Authentication:
In addition to authentication methods, one more
technique called as multitouch gesture based
authentication. This technique provides canonical sets of
22 multi touch gesture of hand and finger movements.
5. Social Authentication
In general, depending on how the friends are
involved in the authentication process, social
authentications can be classified into two categories, i.e.,
trustee-based and knowledge based social
authentications. In trustee-based social authentications
[10], which are studied in this paper, the selected friends
(i.e., trustees) aid the user in the authentication process.
Knowledge-based social authentication, however, asks
the user questions about his or her selected friends. In
such systems, friends are not directly involved.
1. Knowledge-based social authentication
systems:
Such social authentications are still based on
something you know. Yardi et al. [15] proposed a
knowledge-based authentication system based on
photos to test if a user belongs to the group (e.g., interest
groups in Facebook) that he or she tries to access.
Facebook recently launched a similar photo-based social
authentication system [16], in which Facebook shows a
few photos of a friend of a user and asks the user to
name the friend. Such system essentially relies on the
knowledge that the user knows the person in the shown
photos. However, recent work has shown, via theoretical
modeling [17] and empirical evaluations [18], that
photo-based social authentication are not resilient to
various attacks such as automatic face recognition
techniques, questioning their use as a backup
authentication mechanism.
2. Trustee-based social authentication
systems:
Authentication is traditionally based on three
factors: something you know (e.g., a password),
something you have (e.g., a RSA Secure ID), and
something you are (e.g., keystroke dynamics).Brainard et
al. [10] proposed to use the fourth factor, i.e., somebody
you know, to authenticate users. We call the fourth factor
as trustee-based social authentication. Originally,
Brainard et al. combined trustee-based social
authentication with some other factor as a two-factor
authentication mechanism. Later, trustee-based social
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
authenticator [11,12, 13]. For instance, Schechter et al.
[14] designed and built a prototype of trustee based
social authentication system which was integrated into
Microsoft’s Windows Live ID system. Moreover,
Facebook announced its trustee-based social
authentication system called Trusted Friends in October,
2011 [12], and it was redesigned and improved to be
Trusted Contacts [11] in May, 2013.
3. COMPARISION In this section, the overall comparisons of all the authentication techniques are discussed. Different authentication methods are discussed from textual to social authentication. Backup authentication involves knowledge based and trustee based authentication. It is represented in the table below
TABLE 1. COMPARISON OF DIFFERENT AUTHENTICATION
Author Paper Title
Work Done Problem Found
1
Lawrence O’Gorman et. al[2003]
Comparing Passwords,
Tokens, and Biometrics
for User Authentication
In this paper, author
examines passwords,
security tokens, and
biometrics which we
collectively call
authenticators—and
compares these
authenticators and their
combinations
Deficiencies to identify
comprehensive picture of
user
2
Ariel Rabkin et. al[2008]
Personal knowledge
questions for fallback
authentication:
Security questions in the era of Facebook
Author describes the
password retrieval
mechanisms for a number
of personal banking
websites, and found that
many of them rely in part
on security questions with
serious usability and
security weaknesses
Today’s personal
security questions owe their
strength to the hardness of
an information-retrieval
problem
3
Nick Feamster et. al[2008]
Photo-Based
Authentication Using
Social Networks
A framework for
authenticating members of
groups using photographs.
Implementing Lineup in a
real-world social network to
choose the pictures
4
Stuart Schechter et. al[2009]
It’s Not What You Know, But Who You Know
Backup authentication
mechanisms help users who
have forgotten their
passwords regain access to
their accounts—or at least
The users must remind of
who their trustees are.
While email-based attacks
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Trustee based social authentication works for a user Alice.
The system consists of two phases: Registration phase and
Recovery phase. Firstly, a user will provide a friend list to
the service provider for registration. The user or service
provider can select trustees. When the attacker attacks the
system, the service provider sends verification emails to
the trustees. Further, the trustees send verified codes to
the system as confirmation. At last, user reset his
password. The overall framework of the method is shown
in Fig. 2
Fig.2: Illustration of a trustee-based social authentication
system which consists of Registration Phase and Recovery
Phase. In the Registration Phase, Alice is authenticated
with the main authenticator, i.e., password, and then
several friends are selected by either Alice herself or the
service provider from Alice’s friend list and are appointed
as Alice’s trustees. In the Recovery Phase, when Alice
forgets her password or her password was compromised
and changed by an attacker, she recovers her account with
the help of her trustees.
1. Registration Phase. In the Registration Phase, the system prepares trustees for Alice. Specifically, Alice is first authenticated with the main authenticator, i.e., password, and then a few friends, who also have accounts in the system, are selected by either Alice herself or the service provider from Alice’s friend list and are appointed as Alice’s trustees.
2. Recovery Phase. In the Recovery Phase, when Alice forgets her password or her password was compromised and changed by an attacker, she recovers her account with the help of her trustees. Specifically, Alice first sends an account recovery request with her username to the service provider which then shows Alice an URL. To obtain verification codes from her predefined trustees, Alice is required to share this URL with her trustees via emailing them, calling them, or meeting them in the system and retrieve the verification codes using the given URL. Alice then obtains the verification codes from her trustees via emailing them, calling them, or meeting them in person. If Alice obtains a sufficient number (e.g., 3) of verification codes and presents them to the service provider, then Alice is authenticated and is directed to reset her password. We call the number of verification codes required to be authenticated the recovery threshold. Note that it is important for Alice to know who her trustees are in the Recovery Phase. Schechter et al. [13] showed that users cannot remember their trustees via performing user studies. Thus, a usable trustee-based social authentication system should remind Alice of her trustees. Next, we provide details about two representative trustee based social authentication systems which use the architecture shown in Figure 1 and were implemented by Microsoft [13] and Facebook [11, 12], respectively. Microsoft’s trustee-based social authentication: Schechter et. al. [13] designed and built a trustee-based social authentication system and integrated it into Microsoft’s Windows Live ID service. In the Registration Phase, users provide four trustees. The recovery threshold is three, i.e., a user is authenticated if he or she obtains verification codes from at least three trustees in the Recovery Phase. Moreover, users will be reminded of their trustees.
Face book’s trustee-based social authentication: Facebook
announced its first trustee-based social authentication
system called Trusted Friends in October, 2011 [12]. In
May, 2013, Facebook announced its redesigned and
improved Trusted Friends which they renamed as Trusted
Contacts [11]. In the Registration Phase of Trusted
Contacts, a user needs to select three to five friends from
his or her friend list as the trustees. Similar to the
Microsoft’s trustee-based social authentication, the
recovery threshold is set to be three. Differently, Facebook
does not remind a user of his or her trustees, but it asks
the user to type in the names of his or her trustees instead.
However, once the user gets one trustee correctly,
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Fig. 7 Percentage of compromised user through friends
7. CONCLUSION
Recently, various authentication techniques and methods are introduced in the market but each one of them has their own advantages and disadvantages. Due to the growing interest in using social networks platform which has created a key factor to attack on the system. Despite of several techniques, very few frameworks are implemented and tested. In view of the above, a system has been proposed in the literature that is called as real social trustee based authentication. Although the social authentication helps to reduce the existing problems but it has some limitation like other two factor methods. To conclude, we need a highly robust authentication system that provides a better reliability and security. Currently, the researchers are working on the trustee based authentication systems that provides highly secured authentication.
The future scope includes the various attacks on the account with the defense strategies and also checking the reliability and security of the social networks.
References
[1] Hafiz Zahid Ullah Khan, “Comparative Study of Authentication Techniques”, International Journal of Video & Image Processing and Network Security IJVIPNS Vol: 10 No: 04 [2] Approaches to Authentication: http://www.e.govt.nz/plone/archive/services/see/see-pki-paper-3/chapter6.html?q=archive/services/see/see-pki-paper-3/chapter6.html [Last Visited on 15/05/2011]. [3] Token Based Authentication: http://www.w3.org/2001/sw /Europe/events/foaf galway/papers/fp/token_based_authentication/ [last visited on 02/05/11].
[4] Biometric Authentication: http://www.cs.bham.ac.uk/ ~mdr/teaching/modules/security/lectures/biometric.html [Last visited on 02/05/11]. [5] Roman V. Y., “User authentication via behavior based passwords,” Systems, Applications and Technology Conference. Farmingdale, NY. 2007. [6] A. Jain, R. Bolle, and S. Pankanti, Eds. “Biometrics: personal identification in networked society”, Boston, MA: Kluwer Academic, 1999. [7] A.R. Hurson, J. Ploskonka, Y. Jiao, and H. Haridas, “Security issues and Solutions in Distributed heterogeneous Mobile Database Systems”, Vol. 61, Advances in Computers, 2004, pp. 107-198. [8] Knowledge based Authentication: http://searchsecurity.techtarget.com/definition/knowledge-based-authentication [Last Visited on 02/05/11]. [9] Knowledge Based Authentication: http://csrc.nist.gov/archive/ kba/index.html [Last Visited on 02/05/11]. [10] J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M.
Yung. Fourth-factor authentication: Somebody you know.